In this example I am looking at scenario where some particular users in your organisation need to be automatically logged of from a specific computer (in this case it is a Terminal Server) after some time, after the user has closed the connection to the Terminal Server but did not log off from the server.
In real life this will be a very frequent scenario, because the user simply closes the remote desktop session with “x” on the bar of the remote desktop window. I do it even myself , because the “log off” button is somewhat hidden.
You might be writing those beautiful email to your users, explaining the correct process for closing the RDS, but you are most likely to loose this battle because there will always be someone who doesn’t obey. That’s life, ….. get used to it 🙂
But why would we want to force a log off from a Terminal Server? Well, its all about the precious resources. If you have one or two users, they will not have much of negative influence on the server performance, but if u have 100 users, …. then things change dramatically.
In this tutorial I will quickly look at one of few ways that this can be achived. We will be using a special GPO function called “Loop Back”
We will cover following steps:
- Creating a group of users who are not to be logged off automatically
- Creating an OU (Organisational Unit) to hold our Terminal Server
- Creating a GPO to automatically log off users
1. Creating a group of users who are not to be logged off automatically
Go into Server Manager and start the Active Directory Users and Computer Console. Please note that all will be done on the Active Directory Server and not on the Terminal Server directly.
From there navigate to the OU where you store your groups. Create a new local group. In my case it will be
\FunctionGroups\RDS_Auto_LogOff_Exceptions
Now assign the users who are not to be affected by the auto logoff function by simply adding those users to the group.
2. Create an OU to hold the Terminal Server
Open the Group Policy editor via Server Manager. Right-Click on your domain tree and from the menu add a new Organisational Unit. Let us call it TerminalServer. Now drag the Terminal Server Computer into that newly created OU. Most likely the Terminal Server is found inside the “Computers” OU. Be advised though that if u had any other GPOs strictly connected the Computers OU and the Terminal Server should be affected by this GPO, make sure to relink this GPO to the newly created OU “TerminalServer”
3. Create a GPO to automatically log off users
As a next step we are going to create a GPO which will log of the users after x time of being disconnected form the Terminal Session.
Create a new GPO, name it for example “AutoLogOff Disconnected Users from TerminalServer“
Best Practice: Makes sure to always use descriptive names for the GPOs. At the end of the day you must be able to know what the GPO is all about.
Let us modify the GPO and go into following settings:
UserConfiguration>Policies>AdministrativeTemplets>WindowsComponents>RemoteDesktopServices>RemoteDesktopSessionHost>SessionTimeLimit
We are going to modify two entries. (Unfortunatelly the screenshot below is in German but you will certainly find it in english too 😉
We are going to activate both settings:
1. Set time limit for disconnected session
2. Set time limit for Log off for RemoteApp Sessions
Let us choose a time limit. I set it to 30 min. You can set it to anything you like.
In general it would be enough to just setup one of the settings. The first one is more general with a brighter spectrum, independent of remote apps. For the purpose of this tutorial I will leave both activated.
As the next step we will have to active a Loop Back settings for this particular GPO.
Let us navigate, within the same GPO edit, to:
ComputerConfiguration>Policies>AdministrativeTemplates>System>GroupPolicies
Activate the setting.
Now we go back to GPO list and on the right side in the properties of the GPO make sure that Authenticated Users is set in the Security Filterring option as shown below.
As next step, we need to go into the delegation tab of the GPO. When being there click on the advanced options and add the previously added Group “RDS_Auto_LogOff_Exceptions”
When being inside the advanced security opotions we need to do the following
1. Set Attributes to Authenticated User to Allow for Read and Policy Apply
2. Set Attributes to RDS_Auto_LogOff_Exceptions to Deny for Read and Policy Apply.
Once this has been done we are going to link the newly completed policy to the TerminalServer OU.
As the last step we must force “GPupdate” command on both the DC Server and Terminal Server.
> gpupdate /force
After completion make sure that all users on the terminal server are logged off. If not the case, go to the terminal server and force-log-off each user. This can be done via Task Manager in the User Tab.
This is it. Now each user who only disconnects from the terminal server will be from now on also logged of automatically. Any exceptions can be added to the Exceptions Group “RDS_Auto_LogOff_Exceptions” and these users will not be affected by the auto log off.